Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about the analysis, reproduction and repair of xss loopholes in jQuery. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

1. The formation and harm of xss vulnerabilities.

Formation: the xss vulnerability, also known as cross-site scripting, is simply due to the fact that the application does not correctly harmlessly handle user-controllable input and places it in the output that acts as a Web page. This can be exploited by cross-site scripting attacks.

Harm: once a malicious script is injected, an attacker can perform a variety of malicious activities. An attacker may transfer private information (such as a cookie that may contain session information) from the victim's machine to the attacker. An attacker may send a malicious request to a Web site as a victim, which can be particularly dangerous to the site if the victim has administrator privileges to manage the site. Phishing attacks can be used to impersonate a trusted site and induce the victim to enter a password, allowing an attacker to compromise the victim's account on the Web site.

There are three main types of XSS:

Type 1: reflected XSS (also known as "non-persistent")

The server reads the data directly from the HTTP request and reflects it back to the HTTP response. When a reflective XSS utilization occurs, an attacker can cause the victim to provide dangerous content to the vulnerable Web application, which is then reflected back to the victim and executed by the Web browser.

Type 2: stored XSS (also known as "persistence")

Applications store dangerous data in databases, message forums, visitor logs, or other trusted data stores. At some point in the future, the hazardous data will be read back to the application and included in dynamic content. If one of the users executes malicious content, it is possible for the attacker to perform privileged operations as that user or to gain access to sensitive data belonging to that user.

Type 3: DOM-based XSS

In DOM-based XSS, the client performs the operation of injecting XSS into the page; in other types, the injection is performed by the server. DOM-based XSS usually involves server-controlled trusted scripts sent to the client, such as Javascript that performs a sanity check on the form before the user submits it.

2. JQuery's latest xss loophole analysis and reappearance of 2.1environment

For this vulnerability, the original author set up an online environment with three xss poc built-in. Click the Append via .html () button to trigger the xss.

Environmental link

2.2 Source code analysis

First simulate a development environment with the first red box. Although all three poc use img tags containing onerror events, they are actually placed inside attributes or style elements, so the HTML cleaner is bypassed.

The review element found that one more closed tag appeared after the click, and the subsequent pop-up script was successfully executed.

2.3 vulnerability resolution

The key to this vulnerability is that in the html () method, the HTML string passed as an argument is passed to the $.htmlPrefilter () method, which is used to replace the self-closing tag, such as, the rule used before version 3.x recognizes x "as the tag and adds

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.